A newly discovered Iranian threat actor is stealing Google and Instagram credentials belonging to Farsi-speaking targets worldwide using a new PowerShell-based stealer dubbed PowerShortShell by security researchers at SafeBreach Labs.
The info stealer is also used for Telegram surveillance and collecting system information from compromised devices that get sent to attacker-controlled servers together with the stolen credentials.
As SafeBreach Labs discovered, the attacks (
publicly reported in September on Twitter by the Shadow Chaser Group) started in July as spear-phishing emails.
They target Windows users with malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) bug tracked as
CVE-2021-40444.
The PowerShortShell stealer payload is executed by a DLL downloaded on compromised systems. Once launched, the PowerShell script starts collecting data and screen snapshots, exfiltrating it to the attacker's command-and-control server.
"Almost half of the victims are located in the United States. Based on the Microsoft Word document content - which blames Iran’s leader for the 'Corona massacre' and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran's Islamic regime,"
said Tomer Bar, Director of Security Research at SafeBreach Labs.
